LivingSocial, the online offers site owned in largish part by Amazon, has just emailed its userbase, said to be 50,000,000-strong, to fess up to a data breach.

That’s right: another day, another shed-load of password hashes in the hands of crooks.

At least LivingSocial’s password database was salted and hashed, which reduces the impact of the breach a lot.

Naked Security reader Chris, from Melbourne, Australia, kindly sent us a copy of the notification email he received:

LivingSocial recently experienced a security breach on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with the authorities to investigate this issue.

The information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords; technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

To revise password storage quickly: don’t store the actual password.

Store a random string of characters instead, combine the password and this random string (that’s “salting” the string to vary its flavour), and pass the salted password through a non-reversible cryptographic function to get a message digest code (that’s “hashing” the data by slicing, dicing and stirring together the salted input in a digital mixing bowl).

A crook can check to see if your password is, say, s3cr3cy by salting-and-hashing himself, but he has to start with a guess, because he can’t go back from the hash to your password.

→ You often hear the term “hashed and salted”, as in the email above, but technically you salt and then hash, otherwise the salt wouldn’t get mixed into the hash calculation.

The silver lining I’m always determined to find when SNAFUs like this occur is that LivingSocial took the opportunity to sneak an additional, and pertinent, security reminder into its breach notification:

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

Good advice, not least because cybercrooks love to take security announcements, from patches and updates to breach notifications, and use them to try to get new victims on the hook.

And it’s just when you’re expecting a notification from a company you do business with that you are at the greatest risk of believing emails that you’d probably discard out of hand at any other time.

→ Never click on login links contained in emails. A reputable company will never send you such emails, precisely so you can assume that all email-borne login links are bogus, and ignore them. The same sort of reason why many jurisdictions require game hunters, whom you’d expect to sneak around in camouflage, to wear conspicuously lurid and unnatural-looking jackets. If you’re dressed entirely unlike any other animal on Planet Earth, you won’t be mistaken for one.

If you read LivingSocial’s online warning, you will see a further suggestion on what to do next:

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).

That’s also good advice, but a few more words would have made it even better: if you’ve used the same password on multiple sites, change the passwords on those sites so that they are all different.

And if you are in the habit of re-using passwords, don’t wait until one of your accounts gets hacked before you go and change all those common passwords.

The whole idea of using different passwords on different sites is to avoid what you might call a “race to the bottom,” where all your logins end up as insecure as the slackest, sloppiest, weakest site on the list.

And if you struggle to come up with decent passwords, fear not: here’s how to do it:

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

6 comments on “50,000,000 usernames and passwords lost as LivingSocial “special offers” site hacked”

I received this email from them but don't recall the password since I don't even recognize their name. Anyhow when I went to their site and input my email address it stated that I "had never set up an account, even though I'm signed up to receive their emails."

Would this mean that I don't have a password stored with them, even if perhaps I ordered something through their email ads in the past?

If you don't know your password for the service, and indeed don't even seem to have an account…then you can't follow their advice and change anything, and you can't close your account.

Presumably you are in a database somewhere, but not apparently one associated with a functioning login.

If you've never been in the habit of reusing passwords (or if you were and have now changed *and diversified* all the passwords you do know about) then I'd suggest you can just shrug the whole thing off.

"Pass the hash" is something slightly different. It relates to Windows-style authentication, where a hash is exchanged over the network as part of the login process, so that the cleartext password isn't. That's a hash used as a way of maintaining password secrecy *in transit*.

In the use of hashes described above, the hash never goes over the network – the actual password does. So the secrecy of the password in transit relies on HTTPS (secure HTTP).

The hash in the example above is used to maintain password securcy *at rest*. You send the password over a secure channel (HTTPS), convert it to a hash in memory on the server, and compare with what's on disk on the server. So the raw password never needs to be saved on disk.

The hash can't be "replayed" in this case, because it isn't sent from client to server as part of the protocol. So the hash is only useful in letting you verify your efforts to guess the password. It can't be used in lieu of the password.

Does livingsocial have this under control now? Or is it still unsafe to log on to their website? Also, I just want to verify which password I used for this livingsocial website because I DO have an account. That way, I can make sure no other accounts on any other websites I use uses that same password. Thanks!